WEBVTT 00:00.000 --> 00:02.000 All right. 00:04.000 --> 00:06.000 Shh. 00:08.000 --> 00:10.000 All right. 00:12.000 --> 00:14.000 As a quick polite reminder to everyone here, if you are taking 00:14.000 --> 00:16.000 photos, which you're more than welcome to do, make sure that 00:16.000 --> 00:18.000 you have the consent of everyone in the frame. 00:18.000 --> 00:20.000 That means everyone. 00:20.000 --> 00:22.000 So if I took a photo up here right now, I'd have to talk to 00:22.000 --> 00:24.000 each and every one of you beforehand and say, is it all 00:24.000 --> 00:26.000 right to take a photo? 00:26.000 --> 00:28.000 All right. 00:28.000 --> 00:32.000 So, without any further ado, this is LTE versus Darwin by 00:32.000 --> 00:34.000 Hendrik and Brian, so please. 00:36.000 --> 00:38.000 Okay. 00:38.000 --> 00:40.000 Thanks. Hello. 00:40.000 --> 00:42.000 And welcome to our talk. 00:42.000 --> 00:44.000 So my name is Hendrik and this is Brian. 00:44.000 --> 00:46.000 We are both security researchers from Germany. 00:46.000 --> 00:48.000 We are dealing with telecommunication networks. 00:48.000 --> 00:50.000 So, for example, 4G LTE networks. 00:50.000 --> 00:54.000 And this is a talk about our current research. 00:54.000 --> 00:56.000 So we analyze the 4G LTE network in 00:56.000 --> 01:02.000 backend and frontend and are searching for security problems. 01:02.000 --> 01:06.000 This is, yeah, should be the first talk of some more and we 01:06.000 --> 01:08.000 will see how it gets. 01:08.000 --> 01:10.000 So some background about us. 01:10.000 --> 01:12.000 We are old school network geeks dealing with a lot of 01:12.000 --> 01:14.000 technology. 01:14.000 --> 01:18.000 We are working for the company called ENW in Germany based in 01:18.000 --> 01:20.000 Heidelberg. 01:20.000 --> 01:24.000 And we are working on the security of the 4G LTE network 01:24.000 --> 01:26.000 in Germany. 01:26.000 --> 01:28.000 So we are working on the security of the 4G LTE network in 01:28.000 --> 01:30.000 Germany. 01:30.000 --> 01:32.000 And, yes, we make security assessments. 01:32.000 --> 01:36.000 And if you want to make security assessments in deep, you have to 01:36.000 --> 01:38.000 understand the technology in deep. 01:38.000 --> 01:42.000 So we take a look at the technology and then we look at 01:42.000 --> 01:44.000 security problems. 01:44.000 --> 01:50.000 We are always talking about some topics, security topics on our 01:50.000 --> 01:54.000 website, for example, if you are interested in talk with us, 01:54.000 --> 01:56.000 have a discussion with us. 01:56.000 --> 02:00.000 Also on the conference or, for example, who wants a deeper look 02:00.000 --> 02:04.000 inside, we are involved in security in a research project 02:04.000 --> 02:10.000 which has ended last year called Asmonia. 02:10.000 --> 02:12.000 Okay. 02:12.000 --> 02:14.000 So back to our talk. 02:14.000 --> 02:16.000 Why 4G LTE? 02:16.000 --> 02:22.000 Because it's a very interesting and new and very complex 02:22.000 --> 02:24.000 technology. 02:24.000 --> 02:26.000 It's a new one. 02:26.000 --> 02:30.000 And it introduces a lot of very interesting features. 02:30.000 --> 02:32.000 For example, self-organizing networks. 02:32.000 --> 02:36.000 A security guy, if you have a self-organizing network, you are 02:36.000 --> 02:38.000 thinking about them. 02:38.000 --> 02:40.000 Is it really working? 02:40.000 --> 02:42.000 So we take a look at it. 02:42.000 --> 02:46.000 We are talking about trust, especially, and optional 02:46.000 --> 02:48.000 controls mentioned in some specs. 02:48.000 --> 02:50.000 So, yeah. 02:50.000 --> 02:52.000 Enjoy the talk. 02:52.000 --> 02:56.000 First of all, we thought each talk should have information. 02:56.000 --> 02:58.000 And second, some kind of message. 02:58.000 --> 03:00.000 And because of this, we have a comparison with Darwin. 03:00.000 --> 03:02.000 Brian, we explain you. 03:02.000 --> 03:04.000 Okay. 03:04.000 --> 03:06.000 Yes. 03:06.000 --> 03:10.000 So talking about evolution, I guess for most of you, Darwin 03:10.000 --> 03:14.000 is a proper enemy for long-term evolution. 03:14.000 --> 03:18.000 Main aspect we're actually looking at, whether we're 03:18.000 --> 03:22.000 leaving in Darwin or not, doesn't make a difference for us. 03:22.000 --> 03:26.000 Natural selection actually has a few, say, base drugs, which 03:26.000 --> 03:28.000 we think are quite important. 03:28.000 --> 03:32.000 In this case, it is taking oneself out of the gene pool. 03:32.000 --> 03:36.000 Stupid things, especially in technology, shouldn't happen 03:36.000 --> 03:38.000 more than once. 03:38.000 --> 03:42.000 And you've got the bug, whatever the vulnerability that 03:42.000 --> 03:44.000 was used, it should be fixed. 03:44.000 --> 03:48.000 So second try, it shouldn't happen again. 03:48.000 --> 03:52.000 The Darwin Award itself actually originated from a 03:52.000 --> 03:58.000 use-net group from around about 1985 and has been, yeah, 03:58.000 --> 04:00.000 developed further on since. 04:00.000 --> 04:06.000 Simple things, stupid things, a nice guy who actually tried 04:06.000 --> 04:11.000 to have some fun with firecrackers in his butt and kind 04:11.000 --> 04:13.000 of blowing his balls off. 04:13.000 --> 04:16.000 Now, the thing is you always hear these news and they could 04:16.000 --> 04:17.000 be fake. 04:17.000 --> 04:20.000 And most people think they're fake and most people actually 04:20.000 --> 04:22.000 say hope that they're fake. 04:22.000 --> 04:27.000 Problem actually then is quite often they aren't. 04:27.000 --> 04:33.000 And I don't know which one of you would actually try it. 04:33.000 --> 04:36.000 Not really the best thing to do. 04:36.000 --> 04:39.000 So for us, quite simply the question is, is Darwin, is 04:39.000 --> 04:43.000 natural selection the one enemy to take down long-term 04:43.000 --> 04:47.000 evolution? 04:47.000 --> 04:49.000 OK, back to the technology. 04:49.000 --> 04:51.000 We will start with some basics. 04:51.000 --> 04:56.000 Who of you knows the setup of a 4G ATE network? 04:56.000 --> 04:57.000 Not much, I thought. 04:57.000 --> 05:02.000 OK, so we start with some basics so everybody tries to 05:02.000 --> 05:03.000 understand. 05:03.000 --> 05:08.000 4G LTE first is specified by the 3GPP, the third generation 05:08.000 --> 05:10.000 partnership and project. 05:10.000 --> 05:17.000 And it really deals with LTE and HSDPA, for example, 05:17.000 --> 05:18.000 UMTS networks. 05:18.000 --> 05:24.000 But it's already starting with GSM. 05:24.000 --> 05:29.000 Another important specification group is the ITU or in Europe 05:29.000 --> 05:31.000 and the Etsy. 05:31.000 --> 05:36.000 We are focusing on the specification on 4G LTE. 05:36.000 --> 05:39.000 And this is only done by 3GPP. 05:39.000 --> 05:43.000 Here are the 3GPP milestones listed. 05:43.000 --> 05:45.000 It starts in 1999. 05:45.000 --> 05:51.000 Here we see CDMA specifications, HSDPA up to LTE and LTE 05:51.000 --> 05:52.000 advanced. 05:52.000 --> 05:56.000 So we are talking about LTE, but LTE advanced is based on 05:56.000 --> 05:57.000 it. 05:57.000 --> 06:06.000 And LTE was finished about 2012, but it's still in progress. 06:06.000 --> 06:10.000 So there are always changes to the specifications. 06:10.000 --> 06:14.000 So it's always a bit tricky to find something there. 06:14.000 --> 06:20.000 And LTE and further LTE research is going on there up to 06:20.000 --> 06:23.000 2016 is the plan at the moment. 06:23.000 --> 06:27.000 So the basic architecture. 06:27.000 --> 06:32.000 The most important thing is that 4G is based on an IP 06:32.000 --> 06:33.000 packet system. 06:33.000 --> 06:38.000 So the old network, GSM, UMTS, for example, is based on a 06:38.000 --> 06:39.000 circuit switch network. 06:39.000 --> 06:43.000 And 4G LTE has IP communication. 06:43.000 --> 06:49.000 So for all of us, it's quite better to understand. 06:49.000 --> 06:52.000 We have on the left side, you see on the slide, the LTE 06:52.000 --> 06:58.000 wireless network, for example, or non-3GP networks. 06:58.000 --> 07:03.000 Non-3GP networks means some kind of untrusted networks 07:03.000 --> 07:07.000 connected to the core system. 07:07.000 --> 07:11.000 So for example, Wi-Fi clients on a hotspot or something 07:11.000 --> 07:12.000 like that. 07:12.000 --> 07:14.000 Then we have the packet core domain. 07:14.000 --> 07:16.000 This is the core system of the LTE network. 07:16.000 --> 07:19.000 And this system is connected to outside networks, other IP 07:19.000 --> 07:21.000 networks, for example, internet. 07:21.000 --> 07:27.000 Here in more detail, you don't have to understand everything 07:27.000 --> 07:30.000 in detail now, but you see there are a lot of components. 07:30.000 --> 07:33.000 And these are not all components specified by the 07:33.000 --> 07:34.000 3GPP. 07:34.000 --> 07:36.000 It's very, very complex. 07:36.000 --> 07:38.000 But you have the terminals. 07:38.000 --> 07:42.000 So the called UE user equipment. 07:42.000 --> 07:44.000 This is connected to the access networks. 07:44.000 --> 07:46.000 It's a radio access network. 07:46.000 --> 07:49.000 So the wireless network, for example. 07:49.000 --> 07:54.000 And this network has a base station, the antenna, for 07:54.000 --> 07:58.000 example, and it's routing the packets to the core network. 07:58.000 --> 08:01.000 The core network is the heart of the provider. 08:01.000 --> 08:04.000 So there are all the management functionalities and routing 08:04.000 --> 08:08.000 functionalities and services provided to the customer. 08:08.000 --> 08:12.000 For example, the MME in the middle, it's a management 08:12.000 --> 08:13.000 entity. 08:13.000 --> 08:17.000 This is really the control function server for the whole 08:17.000 --> 08:18.000 environment. 08:18.000 --> 08:24.000 Then the SAE gateway in the middle of the right of the 08:24.000 --> 08:25.000 MME. 08:25.000 --> 08:30.000 It's part of the serving gateway and PDN gateway, packet 08:30.000 --> 08:35.000 data network gateway, which has a core routing function. 08:35.000 --> 08:41.000 And here all the calls are terminating and then routed to 08:41.000 --> 08:43.000 other IP networks, for example. 08:43.000 --> 08:46.000 And then there are a lot of more functions like charging 08:46.000 --> 08:51.000 systems, the database, HSS, it's equivalent to the GSM 08:51.000 --> 08:52.000 and UMTS network. 08:52.000 --> 08:57.000 So you see there is really a bunch of components. 08:57.000 --> 09:03.000 Another important point is that calls, for calls, voice 09:03.000 --> 09:04.000 over IP is used. 09:04.000 --> 09:08.000 This is placed in the IMS, intermediate subsystem. 09:08.000 --> 09:15.000 And the PCRF has policies who is able to do something in 09:15.000 --> 09:16.000 the network. 09:16.000 --> 09:22.000 So these are the basics, just a little bit of them. 09:22.000 --> 09:27.000 Now we come to the real, to the important stuff. 09:27.000 --> 09:28.000 OK. 09:28.000 --> 09:30.000 LTE in the field. 09:30.000 --> 09:34.000 Now, first question is what do you actually see out in the 09:34.000 --> 09:35.000 field? 09:35.000 --> 09:38.000 The only things that you can really see are antennas and 09:38.000 --> 09:39.000 the E-Node Bs. 09:39.000 --> 09:41.000 The E-Node B is the actual AI interface. 09:41.000 --> 09:45.000 It's the bit that's got the network cable on the one side 09:45.000 --> 09:47.000 and the antenna on the other side. 09:47.000 --> 09:50.000 They come in quite a few different shapes and sizes, 09:50.000 --> 09:54.000 meaning you've got quite small boxes, say the size of a 09:54.000 --> 09:57.000 laptop just a bit thicker, sum it up on a cell mast. 09:57.000 --> 10:01.000 You've got ginormous 19-inch racks, what you've got for 10:01.000 --> 10:02.000 every server system. 10:02.000 --> 10:07.000 Or you've sometimes even really got portable E-Node Bs. 10:07.000 --> 10:10.000 During our research, we actually found a few approaches 10:10.000 --> 10:15.000 to say an E-Node B that could be carried for tactical 10:15.000 --> 10:20.000 reason in a backpack for somebody out in the field and 10:20.000 --> 10:23.000 kind of carrying its own LTE network wherever around 10:23.000 --> 10:25.000 with it. 10:25.000 --> 10:29.000 There are mainly four different types or four different 10:29.000 --> 10:34.000 sizes of cells that are established by these E-Node Bs. 10:34.000 --> 10:37.000 The macro cells are the, I guess, normal cells that you 10:37.000 --> 10:39.000 have in every town. 10:39.000 --> 10:42.000 With a race of more than 100 meters. 10:42.000 --> 10:44.000 Then you've got the micro cells, which go up to 100 10:44.000 --> 10:48.000 meters, which could be, say, if you've got a block of 10:48.000 --> 10:50.000 houses that has to be covered. 10:50.000 --> 10:53.000 Then you've got the Pico cells with 20 to 50 meters, 10:53.000 --> 10:58.000 which are mainly intended for, say, company use, office 10:58.000 --> 10:59.000 use. 10:59.000 --> 11:02.000 So own company, you haven't really got a very good cell 11:02.000 --> 11:05.000 phone reception, so you place a mast somewhere. 11:05.000 --> 11:07.000 And then, of course, you've got the home E-Node Bs, 11:07.000 --> 11:11.000 which are, let's say, femtocells. 11:11.000 --> 11:13.000 The same principle. 11:13.000 --> 11:17.000 The most important thing about an E-Node B, if you 11:17.000 --> 11:19.000 think about it, it's somewhere out in the field. 11:19.000 --> 11:23.000 I guess a few of you have seen cell masts and seen the 11:23.000 --> 11:25.000 security measures around them. 11:25.000 --> 11:28.000 Probably guard dogs and whatever. 11:28.000 --> 11:32.000 That's the one point where all encryption coming from 11:32.000 --> 11:36.000 the UE terminates and on the other side where all the 11:36.000 --> 11:38.000 encryption from the back end terminates. 11:38.000 --> 11:42.000 So say you've got access to an E-Node B, everybody using 11:42.000 --> 11:45.000 it is yours. 11:45.000 --> 11:49.000 Now, having all these different sizes of cells results 11:49.000 --> 11:52.000 in heterogeneous networks. 11:52.000 --> 11:56.000 You've got, above the normal LTE cells, you've got 11:56.000 --> 12:01.000 systems like WiMAX and Wi-Fi, and they actually come up 12:01.000 --> 12:03.000 in specifications. 12:03.000 --> 12:06.000 So there are concepts that people can actually roam from 12:06.000 --> 12:10.000 an LTE network over into your WiMAX network or into your 12:10.000 --> 12:14.000 normal Wi-Fi network, which, of course, is quite a 12:14.000 --> 12:16.000 complex situation. 12:16.000 --> 12:19.000 And for that reason, you've got the functionality of 12:19.000 --> 12:23.000 self-organizing and self-configuring networks, 12:23.000 --> 12:26.000 which we'll have a look at later on. 12:26.000 --> 12:29.000 Just as an example, a small E-Node B as you can really 12:29.000 --> 12:31.000 find them outside. 12:31.000 --> 12:37.000 An E-Node B has got ports for multiple antennas. 12:37.000 --> 12:40.000 Simple reason on the one hand, LTE is a multiple input, 12:40.000 --> 12:42.000 multiple output system. 12:42.000 --> 12:47.000 So increasing throughput by using multiple antennas. 12:47.000 --> 12:50.000 Above that, an E-Node B is able to establish multiple 12:50.000 --> 12:52.000 phone cells. 12:52.000 --> 12:55.000 Using directional antennas, you can actually go around the 12:55.000 --> 12:58.000 cell mass in certain areas, and depending on which side 12:58.000 --> 13:01.000 you're on, you've really got a different cell, which means, 13:01.000 --> 13:04.000 of course, in areas where two cells would collide, you put 13:04.000 --> 13:09.000 the cell mass in between, and you optimize coverage. 13:09.000 --> 13:13.000 The E-Node Bs themselves are placed close to the antennas. 13:13.000 --> 13:16.000 Smaller devices can sometimes really be placed up on the 13:16.000 --> 13:18.000 cell mass. 13:18.000 --> 13:21.000 Larger devices, of course, on the ground. 13:21.000 --> 13:24.000 As I said before, connected via LAN. 13:24.000 --> 13:28.000 Self-configuring, you've got stuff like DHCP running and 13:28.000 --> 13:31.000 giving an E-Node B an IP address. 13:31.000 --> 13:33.000 Interesting solution. 13:33.000 --> 13:39.000 Now, what we had quite a good look at are, yeah, UE's. 13:39.000 --> 13:41.000 Question, what do we have? 13:41.000 --> 13:43.000 We've got phones. 13:43.000 --> 13:45.000 Of course, phones are there to do phone calls. 13:45.000 --> 13:47.000 We said it's an IP-based system. 13:47.000 --> 13:50.000 So you've got voice over IP. 13:50.000 --> 13:53.000 SMS are turned into zip messages. 13:53.000 --> 13:55.000 Just the way it goes. 13:55.000 --> 13:58.000 And above that, of course, you've got normal tablets and 13:58.000 --> 14:01.000 slides, you've got your USB sticks and USB modems, 4G 14:01.000 --> 14:04.000 cards, mobile hotspots. 14:04.000 --> 14:08.000 And funnily enough, even an active relay node in an LTE 14:08.000 --> 14:14.000 network will at some moment play a simple UE. 14:14.000 --> 14:18.000 But we'll have a close look at that later. 14:18.000 --> 14:21.000 Our scope, yeah, usually if you look at mobile devices, you 14:21.000 --> 14:24.000 look at the software, you might have a look at hardware 14:24.000 --> 14:29.000 attacks, and you'd probably have a look at apps installed. 14:29.000 --> 14:31.000 We, on the other hand, are actually trying to have a look 14:31.000 --> 14:34.000 at the equipment from the outside. 14:34.000 --> 14:39.000 Say, what can we find out about a mobile phone without 14:39.000 --> 14:41.000 having it in our hands? 14:41.000 --> 14:44.000 And I'm thinking about what does the mobile phone actually 14:44.000 --> 14:46.000 know about the network? 14:46.000 --> 14:50.000 Typical data is the physical cell ID, the tracking area 14:50.000 --> 14:53.000 code, normal signal strength measurements, and its own 14:53.000 --> 14:55.000 position. 14:55.000 --> 14:59.000 The cell ID, or physical cell ID, is round about similar to 14:59.000 --> 15:03.000 the normal cell IDs you know from GSM networks. 15:03.000 --> 15:06.000 A normal identifier to know where you are, and for the 15:06.000 --> 15:10.000 backend to know where a mobile phone is. 15:10.000 --> 15:13.000 In LTE, there are 504 different IDs. 15:13.000 --> 15:16.000 So, of course, if you think about a large country, you'll 15:16.000 --> 15:19.000 have far more cells than only 504. 15:19.000 --> 15:24.000 The system there is by using automated neighbor relations 15:24.000 --> 15:26.000 between E-Node Bs. 15:26.000 --> 15:29.000 It's only important that you haven't got the same cell IDs 15:29.000 --> 15:31.000 in adjacent cells. 15:31.000 --> 15:35.000 So, you go further out, cell IDs can simply repeat. 15:35.000 --> 15:40.000 Above that, nowadays, in LTE, you've got tracking areas. 15:40.000 --> 15:44.000 Now, thinking about GSM, paging. 15:44.000 --> 15:47.000 A phone call comes in for a mobile phone, which is usually 15:47.000 --> 15:50.000 in standby mode, and it has to be woken up. 15:50.000 --> 15:53.000 Paging messages send out, they used to go to a cell. 15:53.000 --> 15:56.000 Nowadays, they go to a tracking area. 15:56.000 --> 15:59.000 And if you think about it, that's a tracking area can 15:59.000 --> 16:01.000 contain multiple cells. 16:01.000 --> 16:03.000 It is actually quite interesting to try to work out how 16:03.000 --> 16:05.000 large is the tracking area. 16:05.000 --> 16:09.000 How far do I have to be away from a mobile phone to maybe 16:09.000 --> 16:14.000 work out that he's actually being called at the moment? 16:14.000 --> 16:17.000 Then you've got the signal strength. 16:17.000 --> 16:20.000 Not a lot to be said about that. 16:20.000 --> 16:23.000 I guess you really know how good the bars you've got on 16:23.000 --> 16:26.000 your mobile phones are. 16:26.000 --> 16:28.000 Mainly just fun. 16:28.000 --> 16:30.000 Then you've got location. 16:30.000 --> 16:33.000 Of course, mobile phone can get its own location using 16:33.000 --> 16:37.000 systems like GPS, Galileo, or GLONASS. 16:37.000 --> 16:43.000 But above that, you can use cell-net-based positioning. 16:43.000 --> 16:46.000 For these approaches, there's the enhanced serving mobile 16:46.000 --> 16:49.000 location center somewhere in the back end, which simply is 16:49.000 --> 16:53.000 a system that will help a piece of equipment to find out 16:53.000 --> 16:54.000 its own position. 16:54.000 --> 16:59.000 The equipment can send out a request, and then the 16:59.000 --> 17:01.000 ESMLC will do the rest. 17:01.000 --> 17:04.000 Positioning itself is then done by observed time 17:04.000 --> 17:06.000 difference of arrival. 17:06.000 --> 17:09.000 So your mobile phone will get a list of certain ENodeBs that 17:09.000 --> 17:11.000 are around you. 17:11.000 --> 17:13.000 They'll wait for certain messages, and will just measure 17:13.000 --> 17:15.000 the time difference in between. 17:15.000 --> 17:20.000 And by that, a normal triangulation is possible again. 17:20.000 --> 17:23.000 Then we've got the question accessing data. 17:23.000 --> 17:26.000 If you've got your mobile phone, there are various ways 17:26.000 --> 17:30.000 to really access the data that you'd like to have. 17:30.000 --> 17:34.000 On iOS systems, you've got the very magic number that I'm 17:34.000 --> 17:36.000 not going to read out now. 17:36.000 --> 17:41.000 Giving out various information on the cell ID, the tracking 17:41.000 --> 17:46.000 area, yes, on the second one, and just the stuff that we 17:46.000 --> 17:49.000 want to have a look at. 17:49.000 --> 17:51.000 On Android, you've got some extra apps. 17:51.000 --> 17:53.000 I've just got an example here. 17:53.000 --> 17:58.000 And then the big question, as I said, why do we actually 17:58.000 --> 18:00.000 want this data? 18:00.000 --> 18:03.000 I guess all of you know that it's quite important to know 18:03.000 --> 18:05.000 how stuff works. 18:05.000 --> 18:09.000 I guess that's how you would have known that it kind of 18:09.000 --> 18:11.000 has got some recoil. 18:11.000 --> 18:12.000 Nah. 18:12.000 --> 18:15.000 For us with technology, you've got to do your homework 18:15.000 --> 18:18.000 before you can do any kind of security assessment. 18:18.000 --> 18:23.000 And of course, 3GPP has published stacks of documentation, 18:23.000 --> 18:25.000 stacks of white papers and stuff. 18:25.000 --> 18:29.000 But white papers really never show what's in the field. 18:29.000 --> 18:33.000 So it's up to us to just have a look at it. 18:33.000 --> 18:36.000 Our simple approach at the moment is to write a small app 18:36.000 --> 18:38.000 for Android devices. 18:38.000 --> 18:40.000 I know there are a few out on the market, but we just want 18:40.000 --> 18:42.000 a minimalistic system. 18:42.000 --> 18:45.000 Get all the cell mask information that it's got. 18:45.000 --> 18:46.000 Get the current position. 18:46.000 --> 18:48.000 Stick it all into an XML file. 18:48.000 --> 18:52.000 Do some good old classic war driving. 18:52.000 --> 18:56.000 You can do it simply on an Android app, or you can do it 18:56.000 --> 19:01.000 manually using some kind of 4G modem or a mobile phone using 19:01.000 --> 19:03.000 AT commands. 19:03.000 --> 19:07.000 You've got this good old AT plus COPS question mark, which 19:07.000 --> 19:12.000 will give you information on all its networks that a single 19:12.000 --> 19:15.000 cell can see at the moment, or that a single mobile device 19:15.000 --> 19:17.000 can see at the moment. 19:17.000 --> 19:20.000 So that's one of the parts of research that we're currently 19:20.000 --> 19:22.000 working on. 19:22.000 --> 19:26.000 Just sit in our cars, have a look around. 19:26.000 --> 19:29.000 When we've done, or when the app is finished and we've got 19:29.000 --> 19:32.000 some data we'll publish in our blog, if you have interest, you 19:32.000 --> 19:34.000 can have a look at it. 19:34.000 --> 19:36.000 And of course, if you ever want to know what kind of LTE 19:36.000 --> 19:42.000 systems are around them, give it a try and just see. 19:42.000 --> 19:44.000 Now we've got the question third party awareness. 19:44.000 --> 19:48.000 What can somebody else in a mobile phone network actually 19:48.000 --> 19:50.000 see about my phone? 19:50.000 --> 19:53.000 What data can you get? 19:53.000 --> 19:57.000 LTE is an IP network, so of course, scanning is possible. 19:57.000 --> 20:00.000 We'll have a look at that a little bit later on. 20:00.000 --> 20:03.000 Of course, there are some sorts of access control lists out in 20:03.000 --> 20:07.000 the field which work perfectly. 20:07.000 --> 20:11.000 And this point, sorry, we're going to have a look at some 20:11.000 --> 20:16.000 exemplary data, which is the attach procedure, meaning the 20:16.000 --> 20:18.000 initial bearer setup. 20:18.000 --> 20:20.000 Involve components, of course. 20:20.000 --> 20:22.000 The whole back end is involved. 20:22.000 --> 20:26.000 The E-Node B and of course the user equipment. 20:26.000 --> 20:28.000 I've got the very simple scenario. 20:28.000 --> 20:31.000 Some mobile phone is switched on. 20:31.000 --> 20:34.000 It'll contact the E-Node B, send out the RLC connection 20:34.000 --> 20:40.000 request, and at that stage will include some kind of 20:40.000 --> 20:46.000 STMZ, a mobile temporary MZ number, or in some situations 20:46.000 --> 20:50.000 simply a random row of digits. 20:50.000 --> 20:52.000 Data is transferred over to E-Node B. 20:52.000 --> 20:54.000 Initial connection is set up. 20:54.000 --> 20:58.000 And then just as we're used to from GSM systems, the mobile 20:58.000 --> 21:02.000 phone sends out its MZ number. 21:02.000 --> 21:06.000 So at this point, we'd still be able to use some sort of LTE 21:06.000 --> 21:10.000 MZ catcher to get this little number. 21:10.000 --> 21:15.000 Above that, data is sent on from the E-Node B back into the 21:15.000 --> 21:17.000 back end to the MME. 21:17.000 --> 21:22.000 Just to think about it, communication relate from the 21:22.000 --> 21:26.000 E-Node B to the MME, which is NEST messages is always 21:26.000 --> 21:28.000 encrypted. 21:28.000 --> 21:30.000 That's the way that it has to be. 21:30.000 --> 21:32.000 Every packet needs an encryption header. 21:32.000 --> 21:41.000 Problem justice, the algorithms that they've got on offer. 21:41.000 --> 21:48.000 It has to be encrypted, so why give the option? 21:48.000 --> 21:51.000 After that, of course, the MME in the back end fetches all 21:51.000 --> 21:56.000 necessary keys for the mobile phone, fetches subscriber data, 21:56.000 --> 21:59.000 passes it back onto the front. 21:59.000 --> 22:03.000 E-Node B establishes the actual connection. 22:03.000 --> 22:08.000 And from that moment on, all data transmitted is actually 22:08.000 --> 22:13.000 encrypted, meaning still we can reach the MZ number, but 22:13.000 --> 22:15.000 that's about it. 22:15.000 --> 22:18.000 And especially going up the next level, it's an IP network, 22:18.000 --> 22:23.000 so there isn't really a lot that you can catch over the air 22:23.000 --> 22:25.000 if it's done properly. 22:25.000 --> 22:28.000 If it is, the future will have to show. 22:28.000 --> 22:31.000 Yeah. 22:31.000 --> 22:34.000 Then we've got the paging process. 22:34.000 --> 22:38.000 Paging process in GSM systems is quite interesting. 22:38.000 --> 22:44.000 I think a tech was published last year simply using hacked 22:44.000 --> 22:48.000 mobile phones answering all paging requests. 22:48.000 --> 22:52.000 Kind of network says, hey, where's mobile phone ABC? 22:52.000 --> 22:55.000 And some of the mobile phones says, hey, it's me. 22:55.000 --> 22:58.000 And these mobile phones actually did that for all possible 22:58.000 --> 23:01.000 phones around them. 23:01.000 --> 23:03.000 Breaking stuff. 23:03.000 --> 23:08.000 So the question is, how is paging actually here with us in LTE? 23:08.000 --> 23:10.000 It is slightly similar, of course. 23:10.000 --> 23:14.000 The UE is in some kind of standby mode and gets data 23:14.000 --> 23:16.000 sent to it. 23:16.000 --> 23:20.000 The UE wakes up from time to time periodically, gets the 23:20.000 --> 23:22.000 stuff, and good. 23:22.000 --> 23:26.000 Problem just is you haven't really got this hey, phone ABC 23:26.000 --> 23:29.000 is a message for you anymore. 23:29.000 --> 23:33.000 You've got a frame, and somewhere in this frame, there's 23:33.000 --> 23:38.000 a little, to do it simpler, we call it a flag, saying, hey, 23:38.000 --> 23:41.000 there's a message for you in that point. 23:41.000 --> 23:46.000 So all mobile phones will get or can get the same paging 23:46.000 --> 23:50.000 frames, but they'll only react to the data that's really for 23:50.000 --> 23:51.000 them. 23:51.000 --> 23:55.000 And of course, the frame to react to is slightly 23:55.000 --> 23:56.000 obfuscated. 23:56.000 --> 24:00.000 I've got to say I love all slides just with the formula on 24:00.000 --> 24:03.000 it, so I just had to do it. 24:03.000 --> 24:05.000 Finding the frame. 24:05.000 --> 24:09.000 You've got a system frame number on every frame that goes 24:09.000 --> 24:10.000 out. 24:10.000 --> 24:14.000 You've got a DRX cycle of the UE, which is actually the 24:14.000 --> 24:19.000 interval in system frames in which the UE wakes up and 24:19.000 --> 24:21.000 checks for paging messages. 24:21.000 --> 24:25.000 Then you've got the number of paging occasions per DRX, which 24:25.000 --> 24:27.000 is the setting in the E note B. 24:27.000 --> 24:33.000 You've got N, the minimum of the DRX cycles and the number of 24:33.000 --> 24:35.000 paging occasions. 24:35.000 --> 24:42.000 And you've got the so-called UE ID, which is imzimod1024. 24:42.000 --> 24:46.000 So by this point, you'll have a slight problem identifying any 24:46.000 --> 24:48.000 kind of mobile phone on the network. 24:48.000 --> 24:51.000 It's not the imzic number that's used anymore. 24:51.000 --> 24:53.000 It's the imzimod1024. 24:53.000 --> 24:57.000 So actually reversing that to a 15-digit or breaking it down 24:57.000 --> 25:01.000 to a 10-digit imzimod number, not really very easy to do 25:01.000 --> 25:02.000 anymore. 25:02.000 --> 25:06.000 Above that, you've got the paging occasion, meaning you've 25:06.000 --> 25:07.000 got the whole frame. 25:07.000 --> 25:11.000 This frame has got subframes, and the UE has to identify its 25:11.000 --> 25:13.000 actual subframe that it's got to look at. 25:13.000 --> 25:18.000 For that, you've got the next function looking at the whole 25:18.000 --> 25:20.000 frame and then finding positions. 25:20.000 --> 25:26.000 These subframes are, say, 10 elements long. 25:26.000 --> 25:30.000 And you see it in the little table on there, which is actually 25:30.000 --> 25:36.000 from the specs, that only in position 0, 4, 5, and 9, you can 25:36.000 --> 25:40.000 have a paging occasion that you can react to. 25:40.000 --> 25:45.000 Now, doing a little bit of maths, playing around with it, 25:45.000 --> 25:50.000 you'll work out that there is a maximum of 8,160 paging 25:50.000 --> 25:52.000 occasions. 25:52.000 --> 25:55.000 So of course, you'd think, hey, that makes it easy for me to 25:55.000 --> 25:57.000 find a mobile phone. 25:57.000 --> 26:01.000 But yet again, as soon as a mobile phone roams, goes into a 26:01.000 --> 26:06.000 different DNOB cell, the constants are different, so the 26:06.000 --> 26:08.000 whole terms change. 26:08.000 --> 26:12.000 So yet again, you can't track a device. 26:12.000 --> 26:14.000 Above that, playing around with the numbers a little bit 26:14.000 --> 26:17.000 further, you've got four possible paging locations. 26:17.000 --> 26:23.000 Ends up that you can actually only have 32,640 different 26:23.000 --> 26:26.000 paging codes in one single cell. 26:26.000 --> 26:29.000 Which means if you'd have another mobile phone extra in 26:29.000 --> 26:32.000 that cell, two phones would actually be paged by the same 26:32.000 --> 26:33.000 message. 26:33.000 --> 26:35.000 But even then, who cares? 26:35.000 --> 26:36.000 What's the impact? 26:36.000 --> 26:39.000 You lose a little bit of extra battery power. 26:39.000 --> 26:44.000 But above that, it doesn't really make a lot of difference. 26:44.000 --> 26:48.000 And at this point, we're going to jump back to the back end 26:48.000 --> 26:49.000 structure. 26:49.000 --> 26:50.000 Yeah. 26:50.000 --> 26:53.000 Let's take a look at the other side, the back end structure. 26:53.000 --> 26:56.000 The ENOB and the component behind. 26:56.000 --> 26:58.000 You remember the structure. 26:58.000 --> 27:02.000 Here we have one or more ENOBs connected to each other and 27:02.000 --> 27:05.000 the back end of the provider. 27:05.000 --> 27:08.000 All these components are talking to each other by so 27:08.000 --> 27:09.000 called control plane. 27:09.000 --> 27:14.000 The control plane means the plane where all the management 27:14.000 --> 27:17.000 traffic is going over. 27:17.000 --> 27:19.000 Then the other part is the user plane. 27:19.000 --> 27:21.000 All the user traffic is going over. 27:21.000 --> 27:27.000 And this traffic both should be protected by IPsec. 27:27.000 --> 27:32.000 All the security in 4G for transmission protection is based 27:32.000 --> 27:33.000 on IPsec. 27:33.000 --> 27:35.000 And we all need to know how good this is working. 27:35.000 --> 27:38.000 But we will see. 27:38.000 --> 27:42.000 Some quotes from the specification about end point 27:42.000 --> 27:45.000 security. 27:45.000 --> 27:49.000 All ENOBs, for example, shall be authenticated and 27:49.000 --> 27:51.000 authorized. 27:51.000 --> 27:54.000 So the attackers shall not be able to modify the ENOB 27:54.000 --> 27:55.000 settings. 27:55.000 --> 27:57.000 Sounds good, I would say. 27:57.000 --> 27:59.000 Shall be authenticated and authorized. 27:59.000 --> 28:00.000 But what does it mean? 28:00.000 --> 28:03.000 We as attackers want to have access to the devices. 28:03.000 --> 28:06.000 So, okay, there's an authentication. 28:06.000 --> 28:08.000 So we need a better access. 28:08.000 --> 28:10.000 How we get access? 28:10.000 --> 28:16.000 For example, this is a common security structure of an ENOB 28:16.000 --> 28:19.000 standing somewhere in the forest, I would say. 28:19.000 --> 28:21.000 You see the security mechanisms there. 28:21.000 --> 28:25.000 Just jump over, open the door, and you have access. 28:25.000 --> 28:28.000 And you have access to an IP network. 28:28.000 --> 28:32.000 So somewhere there, an Ethernet switch is standing. 28:32.000 --> 28:34.000 And you can plug in and see the traffic. 28:34.000 --> 28:35.000 Okay. 28:35.000 --> 28:37.000 There was one point. 28:37.000 --> 28:39.000 It's IPsec encrypted. 28:39.000 --> 28:43.000 So let's take a look at both the certificates and the 28:43.000 --> 28:45.000 certificate chain. 28:45.000 --> 28:47.000 How is it going? 28:47.000 --> 28:53.000 How an ENOB gets its public and private key pair? 28:53.000 --> 28:57.000 Usually the key pair is created locally. 28:57.000 --> 29:00.000 So on the ENOB itself. 29:00.000 --> 29:02.000 So it's okay. 29:02.000 --> 29:04.000 And it should never reach outside. 29:04.000 --> 29:09.000 So it never leaves the platform. 29:09.000 --> 29:14.000 Then it is signed by the public key is signed by the 29:14.000 --> 29:16.000 factory certification of the vendor. 29:16.000 --> 29:22.000 And this certificate, the factory certificate, is 29:22.000 --> 29:28.000 sent to the customer in a secure way, whatever this means. 29:28.000 --> 29:31.000 On this secure way, it comes to the customer, so the 29:31.000 --> 29:36.000 operator, and the operator stores the key as a high level 29:36.000 --> 29:39.000 certificate in its key store. 29:39.000 --> 29:41.000 Yes. 29:41.000 --> 29:45.000 For a hacker, for an attacker, what does it mean? 29:45.000 --> 29:49.000 This means on this point, if he gets the certificate, he 29:49.000 --> 29:52.000 has a certificate near to the root. 29:52.000 --> 29:53.000 Sounds nice. 29:53.000 --> 30:00.000 So but whatever, just a bit of discussion to them. 30:00.000 --> 30:02.000 It doesn't really matter. 30:02.000 --> 30:03.000 Why? 30:03.000 --> 30:10.000 Because in the specifications, they were standing that IPsec 30:10.000 --> 30:16.000 must be used, so it's required to implement IPsec, but only 30:16.000 --> 30:18.000 in tunneling mode. 30:18.000 --> 30:24.000 And transport mode is better, but it's set to optional. 30:24.000 --> 30:29.000 So in most cases, there will be some security gateways in 30:29.000 --> 30:33.000 front of the ENOBs, and if you get between the ENOB and the 30:33.000 --> 30:36.000 security gateway, you have unencrypted traffic. 30:36.000 --> 30:39.000 Okay, nice. 30:39.000 --> 30:42.000 Some more notes about that. 30:42.000 --> 30:46.000 Again, some notes out of the specification. 30:46.000 --> 30:51.000 If the control plane or the user plane are trusted, and we 30:51.000 --> 30:56.000 know the trusted environment here it is, there is no need to 30:56.000 --> 30:57.000 use protection. 30:57.000 --> 31:02.000 That's how it's standing in the specification. 31:02.000 --> 31:06.000 Embedder is a note just on the down. 31:06.000 --> 31:11.000 In case S1 and X2 user plane are trusted, e.g. physically 31:11.000 --> 31:15.000 protected, protection is not needed. 31:15.000 --> 31:20.000 So this is a physical protection. 31:20.000 --> 31:23.000 Some more words about security for the endpoints. 31:23.000 --> 31:28.000 It's a really, really complex environment. 31:28.000 --> 31:32.000 So DHCP is used, there are a lot of certificates. 31:32.000 --> 31:34.000 There are a lot of 31:37.000 --> 31:40.000 security gateways, and there are a lot of 31:40.000 --> 31:42.000 auto-connection mechanisms are implemented and 31:42.000 --> 31:44.000 auto-configuration mechanisms. 31:44.000 --> 31:49.000 So there are a lot of servers always communicating with the 31:49.000 --> 31:50.000 ENOBs. 31:50.000 --> 31:54.000 And this is very, very complex, and the complexity is there are 31:54.000 --> 31:56.000 often implementation failures. 31:56.000 --> 32:01.000 So feel free to try it or something. 32:01.000 --> 32:04.000 So this is a very complex environment. 32:04.000 --> 32:06.000 And it's a very complex environment. 32:06.000 --> 32:10.000 So there are a lot of common IP network problems and 32:10.000 --> 32:11.000 vulnerabilities. 32:11.000 --> 32:16.000 Here, for example, we have done some scans, some 32:16.000 --> 32:21.000 scans, and the upper picture shows that the host is down, and 32:21.000 --> 32:26.000 the picture on the bottom shows a scan from inside of the 32:26.000 --> 32:27.000 provider's network. 32:27.000 --> 32:30.000 So you see that there is a difference if you are in the 32:30.000 --> 32:33.000 network, and you are connected via UMTS or LTE. 32:33.000 --> 32:36.000 In this case, LTE. 32:36.000 --> 32:41.000 So on the bottom picture, you see here is a host of the 32:41.000 --> 32:46.000 provider, so some servers inside of the network with which 32:46.000 --> 32:49.000 you can communicate. 32:49.000 --> 32:55.000 And then you have access to the target, and yes, we know it 32:55.000 --> 32:57.000 now, some vulnerabilities. 32:57.000 --> 33:01.000 There is some kind of vulnerability testing necessary, 33:01.000 --> 33:06.000 and you can explore some vulnerability, for example. 33:06.000 --> 33:08.000 But it's illegal, too. 33:08.000 --> 33:13.000 Here, for an example, you see an ATP CLI. 33:13.000 --> 33:17.000 This is a Huawei BTS system we found. 33:17.000 --> 33:19.000 Yes, we're still net open. 33:19.000 --> 33:23.000 Nice, I would say, in an LTE network, whatever. 33:23.000 --> 33:25.000 Why ever? 33:25.000 --> 33:27.000 There is a problem, I would say. 33:27.000 --> 33:30.000 And why is it so? 33:30.000 --> 33:35.000 APNs, if somebody has heard of APNs, so APNs stand for 33:35.000 --> 33:36.000 access point names. 33:36.000 --> 33:40.000 Access point names is the gateway you are using at. 33:40.000 --> 33:42.000 And depending on the gateway you are using at, you have 33:42.000 --> 33:44.000 another access list. 33:44.000 --> 33:49.000 So the firewall reset is a different one, for example. 33:49.000 --> 33:51.000 And APNs usually are well known. 33:51.000 --> 33:55.000 So you get an APN from the provider you are putting into 33:55.000 --> 33:57.000 your phone, into your configuration, and then you 33:57.000 --> 33:59.000 have a gateway. 33:59.000 --> 34:01.000 But there are always some more gateways. 34:01.000 --> 34:05.000 For example, there are hidden emergency call gateways you 34:05.000 --> 34:09.000 can use with an anonymous SIM or without a SIM, and you can 34:09.000 --> 34:11.000 do some phone calls. 34:11.000 --> 34:16.000 And some, they have often some debugging APNs, for example, or 34:16.000 --> 34:17.000 something like that. 34:17.000 --> 34:25.000 And these APNs have a different and mostly open access list. 34:25.000 --> 34:30.000 And if you find the APN name, you are on another point in the 34:30.000 --> 34:32.000 network. 34:32.000 --> 34:37.000 Here, for example, is a tool from NW called APNBF. 34:37.000 --> 34:39.000 You can download it in CodeCafé. 34:39.000 --> 34:42.000 This is a bruteforcer for APN bruteforcing. 34:42.000 --> 34:47.000 So you can bruteforce and try to find such systems. 34:47.000 --> 34:51.000 OK. 34:51.000 --> 34:56.000 To do something against it, there is a specification from 34:56.000 --> 35:00.000 CVGPP, but it's from the year 2013. 35:00.000 --> 35:02.000 So it's really, really new. 35:02.000 --> 35:08.000 It's a bit of a shame that it comes up in 2013, and not 35:08.000 --> 35:09.000 earlier. 35:09.000 --> 35:12.000 But now it's there, so OK. 35:12.000 --> 35:18.000 And this specification shows up and recommends security 35:18.000 --> 35:20.000 assurance methodology. 35:20.000 --> 35:25.000 For example, lifecycle management process, security 35:25.000 --> 35:28.000 compliance testing, basic vulnerability testing, and 35:28.000 --> 35:30.000 enhanced vulnerability analysis. 35:30.000 --> 35:33.000 So they are on the right way, I would say. 35:33.000 --> 35:39.000 But it's not really, it's the theory, and we will see how 35:39.000 --> 35:44.000 it's in practice in the next years. 35:44.000 --> 35:47.000 Back to the S1 interface. 35:47.000 --> 35:52.000 The S1 interface is the main control interface between the 35:52.000 --> 35:56.000 base station, so the E0B, and the management entities. 35:56.000 --> 36:00.000 It's based on, and there a new protocol is developed called 36:00.000 --> 36:02.000 S1AP. 36:02.000 --> 36:06.000 S1AP stands for S1 application protocol. 36:06.000 --> 36:10.000 Therefore, to deliver the content, the management 36:10.000 --> 36:16.000 traffic, STP destination port 36412 is used. 36:16.000 --> 36:18.000 But what can attackers do? 36:18.000 --> 36:24.000 So if an attacker gets access to the E0B, he can try to speak 36:24.000 --> 36:26.000 S1AP. 36:26.000 --> 36:38.000 On this point, we developed some scripts we wanted to show 36:38.000 --> 36:40.000 you. 36:40.000 --> 36:44.000 With this script, it is possible to fake S1AP messages. 36:44.000 --> 36:47.000 I hope you see the demo. 36:47.000 --> 36:53.000 Here I have a STP listener running locally. 36:53.000 --> 36:57.000 And I use it in a tool called Dizzy. 36:57.000 --> 36:59.000 Dizzy is a protocol father. 36:59.000 --> 37:03.000 But it's always possible to send single messages to spoof 37:03.000 --> 37:05.000 messages. 37:05.000 --> 37:14.000 I have Wireshark open to demonstrate it. 37:14.000 --> 37:18.000 Now you see that I have sent an S1AP message. 37:18.000 --> 37:24.000 This, for example, here you see it, has all the items 37:24.000 --> 37:26.000 included we need. 37:26.000 --> 37:30.000 It talks to the E0B from the MME that the E0B should be 37:30.000 --> 37:35.000 released a specific radio access. 37:35.000 --> 37:38.000 A call will be dropped or a user will be dropped from a 37:38.000 --> 37:40.000 session. 37:40.000 --> 37:45.000 Sending these messages can interrupt or disrupt the E0B in 37:45.000 --> 37:47.000 its work. 37:47.000 --> 37:52.000 On the other side, you can speak with the MME and do some 37:52.000 --> 37:54.000 kind of stuff. 37:54.000 --> 38:00.000 So we developed some scripts to test it, to play around with 38:00.000 --> 38:02.000 it. 38:02.000 --> 38:06.000 There are a lot of nice messages, for example, we wrote. 38:06.000 --> 38:10.000 You can initiate some handovers if you like to. 38:10.000 --> 38:14.000 So you say the E0B, hey, give me a session, a call of 38:14.000 --> 38:19.000 somebody, and hand it over to some other E0Bs. 38:19.000 --> 38:24.000 An E0B of an attacker, for example. 38:24.000 --> 38:26.000 So there are really a lot of them. 38:26.000 --> 38:31.000 The scripts, I will publish them after the con on our blog. 38:31.000 --> 38:33.000 Who is interested in? 38:33.000 --> 38:37.000 You can really do a lot of them on the premise that you 38:37.000 --> 38:41.000 have an E0B or an MME, for example. 38:41.000 --> 38:45.000 Furthermore, it's possible to do some kind of implementation 38:45.000 --> 38:50.000 testing with this tool. 38:50.000 --> 38:55.000 So now it's looking like this. 38:55.000 --> 39:00.000 We are sending a lot of different S1 IP messages. 39:00.000 --> 39:07.000 And, yeah, feel free to look how the E0B is reacting. 39:07.000 --> 39:09.000 So that's it. 39:09.000 --> 39:16.000 Feel free to look how the E0B is reacting. 39:16.000 --> 39:18.000 Okay. 39:18.000 --> 39:41.000 Back to the slides. 39:41.000 --> 39:43.000 So what does it mean? 39:43.000 --> 39:48.000 In this case, it means that you have to understand how 39:48.000 --> 39:50.000 technology really works. 39:50.000 --> 39:53.000 So the providers should do some kind of implementation 39:53.000 --> 39:56.000 testing, find out how this stuff works and how they 39:56.000 --> 39:57.000 develop it. 39:57.000 --> 40:05.000 Otherwise, this may happen. 40:05.000 --> 40:10.000 And I think that's not good. 40:10.000 --> 40:13.000 Okay. 40:13.000 --> 40:16.000 Now to the next aspect, self-organizing networks. 40:16.000 --> 40:19.000 I've got to admit, that's actually the first thing that 40:19.000 --> 40:22.000 I got in contact with when talking about LTE. 40:22.000 --> 40:26.000 And I've got to say, I just love the principle. 40:26.000 --> 40:28.000 There are two things about it. 40:28.000 --> 40:31.000 You've got the self-configuration aspect, which 40:31.000 --> 40:35.000 is big style plug and play, big style as in cell phone 40:35.000 --> 40:40.000 network. 40:40.000 --> 40:41.000 The why, yeah. 40:41.000 --> 40:42.000 Cost. 40:42.000 --> 40:44.000 Just think about it. 40:44.000 --> 40:46.000 You've got some technician going out with a normal GSM 40:46.000 --> 40:47.000 cell mast. 40:47.000 --> 40:48.000 He's got to put up the mast. 40:48.000 --> 40:49.000 He's got to put up the antenna. 40:49.000 --> 40:51.000 He's got to attach the BTS. 40:51.000 --> 40:54.000 He's got a blooming configurate somewhere out in the 40:54.000 --> 40:55.000 field. 40:55.000 --> 40:57.000 And he's got to put configuration data in, which 40:57.000 --> 40:59.000 means you've got some high-skilled technician somewhere 40:59.000 --> 41:02.000 out in the woods doing the same job every day. 41:02.000 --> 41:05.000 And that's actually quite expensive. 41:05.000 --> 41:06.000 So what do you want? 41:06.000 --> 41:08.000 You want a little black box. 41:08.000 --> 41:09.000 You attach an antenna. 41:09.000 --> 41:10.000 You attach a LAN cable. 41:10.000 --> 41:14.000 You connect power, and the whole thing is up and running. 41:14.000 --> 41:18.000 Truly sounds great. 41:18.000 --> 41:23.000 An E-NodeB itself is kind of pre-configured. 41:23.000 --> 41:26.000 It comes from a factory we've already set with a 41:26.000 --> 41:30.000 certificate on it or a set of certificates. 41:30.000 --> 41:33.000 It's got DHCP activated. 41:33.000 --> 41:35.000 Can you imagine that? 41:35.000 --> 41:40.000 A cell base station having DHCP on the back end. 41:40.000 --> 41:42.000 Just imagine if somebody really gets access to one 41:42.000 --> 41:45.000 single LAN socket, you might really be able to take down 41:45.000 --> 41:48.000 the whole network. 41:48.000 --> 41:51.000 Then the E-NodeB has got a hardware ID. 41:51.000 --> 41:54.000 Depending on this hardware ID, the back end will publish 41:54.000 --> 41:59.000 some kind of configuration, and the E-NodeB will be 41:59.000 --> 42:01.000 quite quickly up and running. 42:01.000 --> 42:05.000 The only thing missing is GPS data. 42:05.000 --> 42:07.000 If you've got a network, and I said so before, that 42:07.000 --> 42:10.000 different E-NodeBs are able to communicate with each other, 42:10.000 --> 42:13.000 every E-NodeB has to know where it is. 42:13.000 --> 42:16.000 So either you connect some external device on the 42:16.000 --> 42:19.000 beautiful management interface, configure the 42:19.000 --> 42:25.000 positioning data, or you simply use internal GPS receivers. 42:25.000 --> 42:28.000 Why does the E-NodeB have internal GPS receivers? 42:28.000 --> 42:30.000 Timing. 42:30.000 --> 42:35.000 GPS still is one of the easiest ways to get actual time codes. 42:35.000 --> 42:38.000 And cell phone systems are time critical, so you need 42:38.000 --> 42:42.000 current times, you use GPS. 42:42.000 --> 42:45.000 Then you've got relay nodes. 42:45.000 --> 42:47.000 Somewhere in the beginning I actually said that a 42:47.000 --> 42:50.000 relay node would be a UE. 42:50.000 --> 42:53.000 In theory, it can really be. 42:53.000 --> 42:59.000 Now, the relay node itself is a selective repeater. 42:59.000 --> 43:02.000 So it will only repeat signal coming from one certain 43:02.000 --> 43:04.000 E-NodeB or from one certain cell. 43:04.000 --> 43:07.000 The problem then just is, how do you actually configure 43:07.000 --> 43:09.000 it somewhere out in the field? 43:09.000 --> 43:11.000 You connect it using a SIM card. 43:11.000 --> 43:16.000 It goes to the back end, says, hey, I'm a relay node. 43:16.000 --> 43:18.000 What am I supposed to do here? 43:18.000 --> 43:21.000 It then gets some configuration data, gets the data 43:21.000 --> 43:24.000 of this single E-NodeB that it's supposed to repeat, 43:24.000 --> 43:26.000 and it's going to work like that. 43:26.000 --> 43:29.000 So in the same mobile phone network that your phone is in, 43:29.000 --> 43:33.000 there's configuration data configuring other cell phone 43:33.000 --> 43:37.000 or cell network aspects. 43:37.000 --> 43:41.000 Then you've got the wonderful self-optimization process. 43:41.000 --> 43:44.000 Now, optimization is very important, 43:44.000 --> 43:47.000 as everybody probably knows. 43:47.000 --> 43:50.000 So self-optimization in wireless networks. 43:50.000 --> 43:52.000 What do you want to do? 43:52.000 --> 43:54.000 You want to avoid overlap. 43:54.000 --> 43:57.000 It doesn't make any sense to have some area covered 43:57.000 --> 43:59.000 twice or three times. 43:59.000 --> 44:02.000 So what you do, you let the single cells communicate 44:02.000 --> 44:04.000 with each other. 44:04.000 --> 44:09.000 So two E-NodeBs will be able to talk and to share 44:09.000 --> 44:12.000 both time and frequency domains in between them 44:12.000 --> 44:16.000 and really reduce the signal strength. 44:16.000 --> 44:20.000 Now, one quite funny aspect is how does an E-NodeB 44:20.000 --> 44:22.000 see another one? 44:22.000 --> 44:25.000 Well, by asking some user equipment, 44:25.000 --> 44:27.000 hey, do you see any other networks? 44:27.000 --> 44:29.000 And the cell phone says, yeah, hey, 44:29.000 --> 44:31.000 there's another E-NodeB here. 44:31.000 --> 44:35.000 And go on, kind of faking a few messages 44:35.000 --> 44:38.000 and putting two E-NodeBs a little bit closer together 44:38.000 --> 44:42.000 isn't really very or shouldn't be very difficult. 44:42.000 --> 44:44.000 Then you've got the home E-NodeBs, 44:44.000 --> 44:46.000 the connections that you've actually got 44:46.000 --> 44:48.000 in your house at home. 44:48.000 --> 44:50.000 Come on, you hack them. 44:50.000 --> 44:52.000 They're able to speak the same protocols 44:52.000 --> 44:54.000 as the proper E-NodeBs. 44:54.000 --> 44:56.000 They come in over a different security gateway, 44:56.000 --> 44:58.000 but you know how good gateways are. 44:58.000 --> 45:01.000 Maybe having your own home E-NodeB at home 45:01.000 --> 45:04.000 might enable you to take down a little LTE network. 45:04.000 --> 45:07.000 Okay, on this point, having some fun. 45:07.000 --> 45:11.000 X2, for example, is the interface for connecting 45:11.000 --> 45:13.000 such devices to each other. 45:13.000 --> 45:15.000 We developed some scripts for spoofing 45:15.000 --> 45:18.000 and implementation testing for X2 AP 45:18.000 --> 45:20.000 similar to S1 AP. 45:20.000 --> 45:24.000 So they will be also published on our blog 45:24.000 --> 45:26.000 in the future. 45:26.000 --> 45:32.000 And yeah, it's working with management interfaces 45:32.000 --> 45:34.000 equivalent. 45:34.000 --> 45:38.000 Yeah, then we've got the simple question, 45:38.000 --> 45:40.000 as I said, the attack procedures. 45:40.000 --> 45:42.000 Faking the position of some E-NodeB, 45:42.000 --> 45:45.000 trying to take down a whole network. 45:45.000 --> 45:47.000 Future research. 45:47.000 --> 45:50.000 Problem is we've got access to theoretical data, 45:50.000 --> 45:54.000 but actually try to find some cell network operator 45:54.000 --> 45:56.000 that allows you to have a look in their network. 45:56.000 --> 45:58.000 So, yeah, that's the problem. 45:58.000 --> 46:00.000 So, yeah, that's the problem. 46:00.000 --> 46:02.000 So, yeah, that's the problem. 46:02.000 --> 46:05.000 But actually, it allows you to have a look in their network. 46:05.000 --> 46:07.000 It's quite hard to find. 46:07.000 --> 46:09.000 And then we've got the very simple question, 46:09.000 --> 46:13.000 LTE, will Darwin strike again? 46:13.000 --> 46:17.000 So, overall, we would say it's a good concept. 46:17.000 --> 46:19.000 So there was a like thought, 46:19.000 --> 46:21.000 and there are good thoughts behind, 46:21.000 --> 46:23.000 but there is really a high complexity. 46:23.000 --> 46:28.000 And it's, for all the engineers who developed UMTS and GSM, 46:28.000 --> 46:31.000 it's a really high complexity and a new technology. 46:31.000 --> 46:33.000 Now it's IP network. 46:33.000 --> 46:38.000 So we all are asked to take a look at. 46:38.000 --> 46:41.000 And we've seen there are some things 46:41.000 --> 46:43.000 which are a bit shocking, 46:43.000 --> 46:48.000 like this self-optimization and self-organizing networks, 46:48.000 --> 46:52.000 all the auto-configuration features, et cetera, 46:52.000 --> 46:57.000 and the security may be some bit more optimized, I would say. 46:57.000 --> 47:00.000 But we also can see they have learned. 47:00.000 --> 47:03.000 So they go into the right direction. 47:03.000 --> 47:10.000 They see the transmission of important traffic must be encrypted. 47:10.000 --> 47:16.000 They have inserted tokens for better authentication and so on. 47:16.000 --> 47:19.000 Coming back to our message. 47:19.000 --> 47:23.000 Quite simply said, Darwin awards, 47:23.000 --> 47:26.000 there are stupid things that if they've been done once, 47:26.000 --> 47:29.000 they shouldn't be done again. 47:29.000 --> 47:33.000 Why do you need optional encryption on critical devices? 47:33.000 --> 47:35.000 Come on, you know if something is optional, 47:35.000 --> 47:38.000 there will be a stupid guy not switching it on. 47:38.000 --> 47:45.000 And as I said, we haven't had access to real cell phone networks yet, hopefully. 47:45.000 --> 47:49.000 But you've got stacks of corporate experience. 47:49.000 --> 47:52.000 Who really uses optional encryption? 47:52.000 --> 47:55.000 Why make it possible to switch it off? 47:55.000 --> 47:58.000 And self-optimization, organization, it's a very good idea, 47:58.000 --> 48:03.000 but there is probably really a little bit more work and research 48:03.000 --> 48:05.000 that has to be put into it. 48:05.000 --> 48:08.000 So for this point, Darwin won't win. 48:08.000 --> 48:14.000 LTE will survive, but I guess it might be able to change in future. 48:14.000 --> 48:16.000 Thank you. 48:16.000 --> 48:22.000 Applause 48:22.000 --> 48:25.000 So we'd be done at this point. 48:25.000 --> 48:31.000 Are there any questions that you've got to ask now? 48:31.000 --> 48:36.000 Otherwise we'd be available after the talk. 48:36.000 --> 48:38.000 Perfect. 48:38.000 --> 48:40.000 Then have a great evening, enjoy the party, 48:40.000 --> 48:43.000 and I think you've got to leave the room quite quickly 48:43.000 --> 48:46.000 because all this stuff has to be got out of here. 48:46.000 --> 48:48.000 Cheers. 48:48.000 --> 48:52.000 Applause 48:52.000 --> 48:55.000 That's right, he's in a boat. 48:55.000 --> 49:24.000 Laughter